New State Privacy Laws Signal Growing Partisan Divide

This alert examines Louisiana’s, Oklahoma’s, and Alabama’s new laws alongside Vermont’s bill, which, after years of negotiation, passed the legislature on May 29 and awaits Governor Phil Scott’s signature. 

Louisiana 

The Louisiana Data Privacy Act, signed into law and effective January 1, 2027, applies to persons doing business in Louisiana that satisfy any one of three conditions: 

1. Annual gross revenues exceeding $25 million. 

2. Annually buying, receiving, selling, or sharing personal information of 75,000 or more consumers, households, or devices. 

3. Deriving 50% or more of annual revenues from selling consumers’ personal information. 

This revenue-based threshold is unique among the 2026 red-state enactments and substantially broadens the law’s reach. The statute also defines “sale” more broadly to include exchanges for monetary or other valuable consideration. Notably, Louisiana mandates conspicuous data sale notices. If a controller sells sensitive personal information, it must post: “NOTICE: We may sell your sensitive personal data.” If it sells biometric data specifically, the notice must state: “NOTICE: We may sell your biometric personal data.” 

However, the Louisiana Data Privacy Act is akin to the Virginia model in many respects. The act provides the most common rights to consumers, including the right to access and confirm, correct, delete, and obtain portable copies of their personal data, and the right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Moreover, enforcement rests exclusively with the attorney general, and there is no private right of action. Controllers have a 30-day cure window only from January 1, 2027, through July 31, 2027. Entity-level exemptions also track the Virginia model: state agencies, Gramm-Leach-Bliley Act (GLBA) (entity level), Health Insurance Portability and Accountability Act (HIPAA) (entity level), nonprofits, higher education institutions, electric utilities, and public opinion poll conductors are excluded.

Alabama 

The Alabama Personal Data Protection Act, effective May 1, 2027, applies to persons conducting business in Alabama or producing products or services targeted to Alabama residents that either: 

1. Control or process personal information of more than 25,000 consumers (excluding payment transactions). 

2. Derive more than 25% of gross revenue from the sale of personal information.

Alabama provides the same set of consumer rights as Louisiana and the Virginia model. Critically, Alabama does not require data protection impact assessments, making it the only comprehensive state privacy law to dispense with this obligation entirely.

While Alabama defines “sale” to include monetary or other valuable consideration, it pairs this broad definition with extensive carve-outs that significantly narrow its practical scope. Excluded from the definition are: disclosures to processors, disclosures necessary to provide a product or service requested by the consumer, affiliate disclosures, consumer-directed disclosures, information the consumer made publicly available, disclosures in connection with mergers, acquisitions, or bankruptcy, and, most significantly, disclosures for analytics services and marketing services solely to the controller. 

The analytics and marketing carve-outs are unprecedented among state privacy laws and effectively insulate common digital advertising data flows from opt-out requirements. The act also has the broadest exemptions of any state: political subdivisions, higher education, national securities associations, GLBA (entity level), HIPAA (entity level), businesses with fewer than 500 employees that do not sell personal information, nonprofit entities with fewer than 100 employees that do not sell personal information, political organizations (including PACs, political parties, campaign committees, and businesses selling data primarily to such organizations), electric providers, and persons regulated by specific Alabama insurance chapters. The small-business exemption is particularly significant and expands such exemptions beyond Texas and Nebraska. 

Alabama also provides a permanent 45-day cure period, the longest of any state. The attorney general must therefore issue notice of a violation and provide the opportunity to cure before seeking a penalty. There is no private right of action.

Oklahoma 

The Oklahoma Data Privacy Act, effective January 1, 2027, is the most faithful to the Virginia model among the three new laws. It applies to controllers and processors conducting business in the state or producing products or services targeted to Oklahoma residents that, during a calendar year, either:

1. Control or process personal information of at least 100,000 consumers. 

2. Control or process personal information of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal information. 

The higher secondary revenue threshold (50% versus the typical 25%) further narrows the pool of covered entities.

Oklahoma grants the standard suite of consumer rights, consistent with the Virginia model. Unlike Alabama, Oklahoma follows every other state and does require data protection impact assessments for targeted advertising, sale of personal information, profiling with foreseeable risk, sensitive data processing, and heightened-risk processing. Oklahoma defines “sale” narrowly to include only exchanges for monetary consideration — the Virginia approach — thus excluding data sharing for non-monetary value. 

The new Oklahoma law provides a permanent 30-day cure period, with attorney general-exclusive enforcement. Notably, Oklahoma does not mandate a universal opt-out mechanism or Global Privacy Control recognition, and it includes no authorized agent provisions for opt-out. Exemptions follow the Virginia model: state agencies and political subdivisions, GLBA (entity level), HIPAA (entity level), nonprofits, higher education, and personal or household activities.

Vermont’s Proposed Data Privacy and Online Surveillance Act

Together, Louisiana, Alabama, and Oklahoma show how red-state legislatures are consolidating around business-friendlier versions of the Virginia framework. Vermont’s proposed Data Privacy and Online Surveillance Act moves in the opposite direction. If signed by Governor Scott, it would be one of the most progressive state privacy laws in the nation. The proposed law applies to entities that, in the preceding calendar year:

1. Controlled or processed personal information of 35,000 or more consumers. 

2. Controlled or processed sensitive data of 3,000 or more consumers. 

3. Offered for sale personal information of 3,000 or more consumers.

Vermont’s proposal goes well beyond the Virginia template. It features a dramatically expanded sensitive-data definition encompassing neural data, financial account numbers and login information, government-issued identification numbers, consumer health data, gender-affirming health data, and reproductive and sexual health data — broader than any existing state law. Consumer health data provisions apply to all entities targeting Vermont residents regardless of processing-volume thresholds. Moreover, the proposed law prohibits the use of geofencing within 1,850 feet of any health care facility (including mental health and reproductive or sexual health facilities) to identify, track, collect data from, or notify consumers regarding consumer health data. Like Connecticut’s law, the proposed law also requires privacy notices to disclose whether a controller collects, uses, or sells personal information to train large language models.

Vermont does provide a 60-day cure period that sunsets in 2029. Enforcement is only by the attorney general; there is no private right of action. Exemptions are narrower than the Virginia model and include both entity-level and data-level carve-outs, such as GLBA (data level), HIPAA (entity and data level), government entities, nonprofit organizations (only those established to detect insurance fraud, noncommercial media activities, victim services organizations),and personal or household activities. There is no blanket exemption for higher education.

If you have any questions, please reach out to your ArentFox Schiff contact or a member of the Privacy & Data Security team.